It's probably no secret to anyone reading this that the information security requirements for anyone handling credit cards have been increased dramatically recently. These requirements are reflected in the Payment Card Industry Data Security Standard (PCI DSS). As you'd expect, there's been a fair amount of grumbling by the merchants who are the most affected by the new standards. This is to be expected, of course. Nobody wants to spend money on information security that they don't need. So one question to ask is whether or not the PCI DSS is really needed. A look at the market for stolen or compromised sensitive information seems to show that PCI DSS is badly needed and may not even be enough.

One of the best studies on the underground economy of stolen or compromised sensitive information is probably the one done by Jason Franklin, Vern Paxson, Adrian Perrig and Stefan Savage. Their paper that describes their research and what they learned is "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants." You can find a copy of it here. It's well worth the time and effort that it takes to read. One graph from this paper shows the most common types of data that were advertised as being for sale by cyber-criminals. Here's what that graph looks like. 


This graph seems to show that credit card information is widely available. It's more available than Social Security numbers or ATM PINs by a factor of roughly 20 to 1. This means that it's probably the case that credit card information needs to be protected much more than it's being protected now.

The PCI DSS is probably a good first step in this direction, but even complying with the latest version of the PCI DSS isn't enough to guarantee that credit card information won't be lost or stolen, as the recent data breach at Heartland Payment Systems shows. Heartland passed their PCI DSS audit, but hackers still managed to penetrate their system and compromise millions of credit card numbers.

Leave a Reply

Your email address will not be published. Required fields are marked *